1# 2# System Server aka system_server spawned by zygote. 3# Most of the framework services run in this process. 4# 5 6typeattribute system_server coredomain; 7typeattribute system_server mlstrustedsubject; 8typeattribute system_server scheduler_service_server; 9typeattribute system_server sensor_service_server; 10typeattribute system_server stats_service_server; 11 12# Define a type for tmpfs-backed ashmem regions. 13tmpfs_domain(system_server) 14 15# Create a socket for connections from crash_dump. 16type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 17 18# Create a socket for connections from zygotes. 19type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket"; 20 21allow system_server zygote_tmpfs:file read; 22allow system_server appdomain_tmpfs:file { getattr map read write }; 23 24# For Incremental Service to check if incfs is available 25allow system_server proc_filesystems:file r_file_perms; 26 27# To create files and get permission to fill blocks on Incremental File System 28allow system_server incremental_control_file:file { ioctl r_file_perms }; 29allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL }; 30 31# To get signature of an APK installed on Incremental File System and fill in data blocks 32allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS }; 33 34# For art. 35allow system_server dalvikcache_data_file:dir r_dir_perms; 36allow system_server dalvikcache_data_file:file r_file_perms; 37 38# When running system server under --invoke-with, we'll try to load the boot image under the 39# system server domain, following links to the system partition. 40with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;') 41 42# /data/resource-cache 43allow system_server resourcecache_data_file:file r_file_perms; 44allow system_server resourcecache_data_file:dir r_dir_perms; 45 46# ptrace to processes in the same domain for debugging crashes. 47allow system_server self:process ptrace; 48 49# Child of the zygote. 50allow system_server zygote:fd use; 51allow system_server zygote:process sigchld; 52 53# May kill zygote on crashes. 54allow system_server { 55 app_zygote 56 crash_dump 57 webview_zygote 58 zygote 59}:process { sigkill signull }; 60 61# Read /system/bin/app_process. 62allow system_server zygote_exec:file r_file_perms; 63 64# Needed to close the zygote socket, which involves getopt / getattr 65allow system_server zygote:unix_stream_socket { getopt getattr }; 66 67# system server gets network and bluetooth permissions. 68net_domain(system_server) 69# in addition to ioctls allowlisted for all domains, also allow system_server 70# to use privileged ioctls commands. Needed to set up VPNs. 71allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; 72bluetooth_domain(system_server) 73 74# Allow setup of tcp keepalive offload. This gives system_server the permission to 75# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to 76# be granted individually, except for a small set of safe values allowlisted in 77# public/domain.te. 78allow system_server appdomain:tcp_socket ioctl; 79 80# These are the capabilities assigned by the zygote to the 81# system server. 82allow system_server self:global_capability_class_set { 83 ipc_lock 84 kill 85 net_admin 86 net_bind_service 87 net_broadcast 88 net_raw 89 sys_boot 90 sys_nice 91 sys_ptrace 92 sys_time 93 sys_tty_config 94}; 95 96# Trigger module auto-load. 97allow system_server kernel:system module_request; 98 99# Allow alarmtimers to be set 100allow system_server self:global_capability2_class_set wake_alarm; 101 102# Create and share netlink_netfilter_sockets for tetheroffload. 103allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl; 104 105# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps. 106allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read }; 107 108# Use netlink uevent sockets. 109allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 110 111# Use generic netlink sockets. 112allow system_server self:netlink_socket create_socket_perms_no_ioctl; 113allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl; 114 115# libvintf reads the kernel config to verify vendor interface compatibility. 116allow system_server config_gz:file { read open }; 117 118# Use generic "sockets" where the address family is not known 119# to the kernel. The ioctl permission is specifically omitted here, but may 120# be added to device specific policy along with the ioctl commands to be 121# allowlisted. 122allow system_server self:socket create_socket_perms_no_ioctl; 123 124# Set and get routes directly via netlink. 125allow system_server self:netlink_route_socket nlmsg_write; 126 127# Kill apps. 128allow system_server appdomain:process { getpgid sigkill signal }; 129# signull allowed for kill(pid, 0) existence test. 130allow system_server appdomain:process { signull }; 131 132# Set scheduling info for apps. 133allow system_server appdomain:process { getsched setsched }; 134allow system_server audioserver:process { getsched setsched }; 135allow system_server hal_audio:process { getsched setsched }; 136allow system_server hal_bluetooth:process { getsched setsched }; 137allow system_server hal_codec2_server:process { getsched setsched }; 138allow system_server hal_omx_server:process { getsched setsched }; 139allow system_server mediaswcodec:process { getsched setsched }; 140allow system_server cameraserver:process { getsched setsched }; 141allow system_server hal_camera:process { getsched setsched }; 142allow system_server mediaserver:process { getsched setsched }; 143allow system_server bootanim:process { getsched setsched }; 144 145# Set scheduling info for psi monitor thread. 146# TODO: delete this line b/131761776 147allow system_server kernel:process { getsched setsched }; 148 149# Allow system_server to write to /proc/<pid>/* 150allow system_server domain:file w_file_perms; 151 152# Read /proc/pid data for all domains. This is used by ProcessCpuTracker 153# within system_server to keep track of memory and CPU usage for 154# all processes on the device. In addition, /proc/pid files access is needed 155# for dumping stack traces of native processes. 156r_dir_file(system_server, domain) 157 158# Write /proc/uid_cputime/remove_uid_range. 159allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; 160 161# Write /proc/uid_procstat/set. 162allow system_server proc_uid_procstat_set:file { w_file_perms getattr }; 163 164# Write to /proc/sysrq-trigger. 165allow system_server proc_sysrq:file rw_file_perms; 166 167# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories. 168allow system_server stats_data_file:dir { open read remove_name search write }; 169allow system_server stats_data_file:file unlink; 170 171# Read /sys/kernel/debug/wakeup_sources. 172allow system_server debugfs_wakeup_sources:file r_file_perms; 173 174# Read /sys/kernel/ion/*. 175allow system_server sysfs_ion:file r_file_perms; 176 177# The DhcpClient and WifiWatchdog use packet_sockets 178allow system_server self:packet_socket create_socket_perms_no_ioctl; 179 180# 3rd party VPN clients require a tun_socket to be created 181allow system_server self:tun_socket create_socket_perms_no_ioctl; 182 183# Talk to init and various daemons via sockets. 184unix_socket_connect(system_server, lmkd, lmkd) 185unix_socket_connect(system_server, mtpd, mtp) 186unix_socket_connect(system_server, zygote, zygote) 187unix_socket_connect(system_server, racoon, racoon) 188unix_socket_connect(system_server, uncrypt, uncrypt) 189 190# Allow system_server to write to statsd. 191unix_socket_send(system_server, statsdw, statsd) 192 193# Communicate over a socket created by surfaceflinger. 194allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 195 196allow system_server gpuservice:unix_stream_socket { read write setopt }; 197 198# Communicate over a socket created by webview_zygote. 199allow system_server webview_zygote:unix_stream_socket { read write connectto setopt }; 200 201# Communicate over a socket created by app_zygote. 202allow system_server app_zygote:unix_stream_socket { read write connectto setopt }; 203 204# Perform Binder IPC. 205binder_use(system_server) 206binder_call(system_server, appdomain) 207binder_call(system_server, binderservicedomain) 208binder_call(system_server, dumpstate) 209binder_call(system_server, fingerprintd) 210binder_call(system_server, gatekeeperd) 211binder_call(system_server, gpuservice) 212binder_call(system_server, idmap) 213binder_call(system_server, installd) 214binder_call(system_server, incidentd) 215binder_call(system_server, iorapd) 216binder_call(system_server, netd) 217binder_call(system_server, notify_traceur) 218binder_call(system_server, statsd) 219binder_call(system_server, storaged) 220binder_call(system_server, update_engine) 221binder_call(system_server, vold) 222binder_call(system_server, wificond) 223binder_call(system_server, wpantund) 224binder_service(system_server) 225 226# Use HALs 227hal_client_domain(system_server, hal_allocator) 228hal_client_domain(system_server, hal_audio) 229hal_client_domain(system_server, hal_authsecret) 230hal_client_domain(system_server, hal_broadcastradio) 231hal_client_domain(system_server, hal_codec2) 232hal_client_domain(system_server, hal_configstore) 233hal_client_domain(system_server, hal_contexthub) 234hal_client_domain(system_server, hal_face) 235hal_client_domain(system_server, hal_fingerprint) 236hal_client_domain(system_server, hal_gnss) 237hal_client_domain(system_server, hal_graphics_allocator) 238hal_client_domain(system_server, hal_health) 239hal_client_domain(system_server, hal_input_classifier) 240hal_client_domain(system_server, hal_ir) 241hal_client_domain(system_server, hal_light) 242hal_client_domain(system_server, hal_memtrack) 243hal_client_domain(system_server, hal_neuralnetworks) 244hal_client_domain(system_server, hal_oemlock) 245hal_client_domain(system_server, hal_omx) 246hal_client_domain(system_server, hal_power) 247hal_client_domain(system_server, hal_power_stats) 248hal_client_domain(system_server, hal_rebootescrow) 249hal_client_domain(system_server, hal_sensors) 250hal_client_domain(system_server, hal_tetheroffload) 251hal_client_domain(system_server, hal_thermal) 252hal_client_domain(system_server, hal_tv_cec) 253hal_client_domain(system_server, hal_tv_input) 254hal_client_domain(system_server, hal_usb) 255hal_client_domain(system_server, hal_usb_gadget) 256hal_client_domain(system_server, hal_vibrator) 257hal_client_domain(system_server, hal_vr) 258hal_client_domain(system_server, hal_weaver) 259hal_client_domain(system_server, hal_wifi) 260hal_client_domain(system_server, hal_wifi_hostapd) 261hal_client_domain(system_server, hal_wifi_supplicant) 262 263# Talk with graphics composer fences 264allow system_server hal_graphics_composer:fd use; 265 266# Use RenderScript always-passthrough HAL 267allow system_server hal_renderscript_hwservice:hwservice_manager find; 268allow system_server same_process_hal_file:file { execute read open getattr map }; 269 270# Talk to tombstoned to get ANR traces. 271unix_socket_connect(system_server, tombstoned_intercept, tombstoned) 272 273# List HAL interfaces to get ANR traces. 274allow system_server hwservicemanager:hwservice_manager list; 275 276# Send signals to trigger ANR traces. 277allow system_server { 278 # This is derived from the list that system server defines as interesting native processes 279 # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in 280 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 281 audioserver 282 cameraserver 283 drmserver 284 gpuservice 285 inputflinger 286 mediadrmserver 287 mediaextractor 288 mediametrics 289 mediaserver 290 mediaswcodec 291 netd 292 sdcardd 293 statsd 294 surfaceflinger 295 vold 296 297 # This list comes from HAL_INTERFACES_OF_INTEREST in 298 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 299 hal_audio_server 300 hal_bluetooth_server 301 hal_camera_server 302 hal_codec2_server 303 hal_face_server 304 hal_fingerprint_server 305 hal_gnss_server 306 hal_graphics_allocator_server 307 hal_graphics_composer_server 308 hal_health_server 309 hal_neuralnetworks_server 310 hal_omx_server 311 hal_power_stats_server 312 hal_sensors_server 313 hal_vr_server 314 system_suspend_server 315}:process { signal }; 316 317# Use sockets received over binder from various services. 318allow system_server audioserver:tcp_socket rw_socket_perms; 319allow system_server audioserver:udp_socket rw_socket_perms; 320allow system_server mediaserver:tcp_socket rw_socket_perms; 321allow system_server mediaserver:udp_socket rw_socket_perms; 322 323# Use sockets received over binder from various services. 324allow system_server mediadrmserver:tcp_socket rw_socket_perms; 325allow system_server mediadrmserver:udp_socket rw_socket_perms; 326 327userdebug_or_eng(`perfetto_producer({ system_server })') 328 329# Get file context 330allow system_server file_contexts_file:file r_file_perms; 331# access for mac_permissions 332allow system_server mac_perms_file: file r_file_perms; 333# Check SELinux permissions. 334selinux_check_access(system_server) 335 336allow system_server sysfs_type:dir search; 337 338r_dir_file(system_server, sysfs_android_usb) 339allow system_server sysfs_android_usb:file w_file_perms; 340 341allow system_server sysfs_extcon:dir r_dir_perms; 342 343r_dir_file(system_server, sysfs_ipv4) 344allow system_server sysfs_ipv4:file w_file_perms; 345 346r_dir_file(system_server, sysfs_rtc) 347r_dir_file(system_server, sysfs_switch) 348r_dir_file(system_server, sysfs_wakeup_reasons) 349 350allow system_server sysfs_nfc_power_writable:file rw_file_perms; 351allow system_server sysfs_power:dir search; 352allow system_server sysfs_power:file rw_file_perms; 353allow system_server sysfs_thermal:dir search; 354allow system_server sysfs_thermal:file r_file_perms; 355 356# TODO: Remove when HALs are forced into separate processes 357allow system_server sysfs_vibrator:file { write append }; 358 359# TODO: added to match above sysfs rule. Remove me? 360allow system_server sysfs_usb:file w_file_perms; 361 362# Access devices. 363allow system_server device:dir r_dir_perms; 364allow system_server mdns_socket:sock_file rw_file_perms; 365allow system_server gpu_device:chr_file rw_file_perms; 366allow system_server input_device:dir r_dir_perms; 367allow system_server input_device:chr_file rw_file_perms; 368allow system_server tty_device:chr_file rw_file_perms; 369allow system_server usbaccessory_device:chr_file rw_file_perms; 370allow system_server video_device:dir r_dir_perms; 371allow system_server video_device:chr_file rw_file_perms; 372allow system_server adbd_socket:sock_file rw_file_perms; 373allow system_server rtc_device:chr_file rw_file_perms; 374allow system_server audio_device:dir r_dir_perms; 375 376# write access to ALSA interfaces (/dev/snd/*) needed for MIDI 377allow system_server audio_device:chr_file rw_file_perms; 378 379# tun device used for 3rd party vpn apps 380allow system_server tun_device:chr_file rw_file_perms; 381allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF }; 382 383# Manage data/ota_package 384allow system_server ota_package_file:dir rw_dir_perms; 385allow system_server ota_package_file:file create_file_perms; 386 387# Manage system data files. 388allow system_server system_data_file:dir create_dir_perms; 389allow system_server system_data_file:notdevfile_class_set create_file_perms; 390allow system_server packages_list_file:file create_file_perms; 391allow system_server keychain_data_file:dir create_dir_perms; 392allow system_server keychain_data_file:file create_file_perms; 393allow system_server keychain_data_file:lnk_file create_file_perms; 394 395# Manage /data/app. 396allow system_server apk_data_file:dir create_dir_perms; 397allow system_server apk_data_file:{ file lnk_file } { create_file_perms link }; 398allow system_server apk_tmp_file:dir create_dir_perms; 399allow system_server apk_tmp_file:file create_file_perms; 400 401# Access input configuration files in the /vendor directory 402r_dir_file(system_server, vendor_keylayout_file) 403r_dir_file(system_server, vendor_keychars_file) 404r_dir_file(system_server, vendor_idc_file) 405 406# Access /vendor/{app,framework,overlay} 407r_dir_file(system_server, vendor_app_file) 408r_dir_file(system_server, vendor_framework_file) 409r_dir_file(system_server, vendor_overlay_file) 410 411# Manage /data/app-private. 412allow system_server apk_private_data_file:dir create_dir_perms; 413allow system_server apk_private_data_file:file create_file_perms; 414allow system_server apk_private_tmp_file:dir create_dir_perms; 415allow system_server apk_private_tmp_file:file create_file_perms; 416 417# Manage files within asec containers. 418allow system_server asec_apk_file:dir create_dir_perms; 419allow system_server asec_apk_file:file create_file_perms; 420allow system_server asec_public_file:file create_file_perms; 421 422# Manage /data/anr. 423# 424# TODO: Some of these permissions can be withdrawn once we've switched to the 425# new stack dumping mechanism, see b/32064548 and the rules below. In particular, 426# the system_server should never need to create a new anr_data_file:file or write 427# to one, but it will still need to read and append to existing files. 428allow system_server anr_data_file:dir create_dir_perms; 429allow system_server anr_data_file:file create_file_perms; 430 431# New stack dumping scheme : request an output FD from tombstoned via a unix 432# domain socket. 433# 434# Allow system_server to connect and write to the tombstoned java trace socket in 435# order to dump its traces. Also allow the system server to write its traces to 436# dumpstate during bugreport capture and incidentd during incident collection. 437unix_socket_connect(system_server, tombstoned_java_trace, tombstoned) 438allow system_server tombstoned:fd use; 439allow system_server dumpstate:fifo_file append; 440allow system_server incidentd:fifo_file append; 441# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`) 442userdebug_or_eng(` 443 allow system_server su:fifo_file append; 444') 445 446# Allow system_server to read pipes from incidentd (used to deliver incident reports 447# to dropbox) 448allow system_server incidentd:fifo_file read; 449 450# Read /data/misc/incidents - only read. The fd will be sent over binder, 451# with no DAC access to it, for dropbox to read. 452allow system_server incident_data_file:file read; 453 454# Manage /data/misc/prereboot. 455allow system_server prereboot_data_file:dir rw_dir_perms; 456allow system_server prereboot_data_file:file create_file_perms; 457 458# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over 459# binder. 460allow system_server perfetto_traces_data_file:file read; 461allow system_server perfetto:fd use; 462 463# Manage /data/backup. 464allow system_server backup_data_file:dir create_dir_perms; 465allow system_server backup_data_file:file create_file_perms; 466 467# Write to /data/system/dropbox 468allow system_server dropbox_data_file:dir create_dir_perms; 469allow system_server dropbox_data_file:file create_file_perms; 470 471# Write to /data/system/heapdump 472allow system_server heapdump_data_file:dir rw_dir_perms; 473allow system_server heapdump_data_file:file create_file_perms; 474 475# Manage /data/misc/adb. 476allow system_server adb_keys_file:dir create_dir_perms; 477allow system_server adb_keys_file:file create_file_perms; 478 479# Manage /data/misc/emergencynumberdb 480allow system_server emergency_data_file:dir create_dir_perms; 481allow system_server emergency_data_file:file create_file_perms; 482 483# Manage /data/misc/network_watchlist 484allow system_server network_watchlist_data_file:dir create_dir_perms; 485allow system_server network_watchlist_data_file:file create_file_perms; 486 487# Manage /data/misc/sms. 488# TODO: Split into a separate type? 489allow system_server radio_data_file:dir create_dir_perms; 490allow system_server radio_data_file:file create_file_perms; 491 492# Manage /data/misc/systemkeys. 493allow system_server systemkeys_data_file:dir create_dir_perms; 494allow system_server systemkeys_data_file:file create_file_perms; 495 496# Manage /data/misc/textclassifier. 497allow system_server textclassifier_data_file:dir create_dir_perms; 498allow system_server textclassifier_data_file:file create_file_perms; 499 500# Access /data/tombstones. 501allow system_server tombstone_data_file:dir r_dir_perms; 502allow system_server tombstone_data_file:file r_file_perms; 503 504# Manage /data/misc/vpn. 505allow system_server vpn_data_file:dir create_dir_perms; 506allow system_server vpn_data_file:file create_file_perms; 507 508# Manage /data/misc/wifi. 509allow system_server wifi_data_file:dir create_dir_perms; 510allow system_server wifi_data_file:file create_file_perms; 511 512# Manage /data/misc/zoneinfo. 513allow system_server zoneinfo_data_file:dir create_dir_perms; 514allow system_server zoneinfo_data_file:file create_file_perms; 515 516# Manage /data/app-staging. 517allow system_server staging_data_file:dir create_dir_perms; 518allow system_server staging_data_file:file create_file_perms; 519 520# Walk /data/data subdirectories. 521# Types extracted from seapp_contexts type= fields. 522allow system_server { 523 system_app_data_file 524 bluetooth_data_file 525 nfc_data_file 526 radio_data_file 527 shell_data_file 528 app_data_file 529 privapp_data_file 530}:dir { getattr read search }; 531 532# Also permit for unlabeled /data/data subdirectories and 533# for unlabeled asec containers on upgrades from 4.2. 534allow system_server unlabeled:dir r_dir_perms; 535# Read pkg.apk file before it has been relabeled by vold. 536allow system_server unlabeled:file r_file_perms; 537 538# Populate com.android.providers.settings/databases/settings.db. 539allow system_server system_app_data_file:dir create_dir_perms; 540allow system_server system_app_data_file:file create_file_perms; 541 542# Receive and use open app data files passed over binder IPC. 543# Types extracted from seapp_contexts type= fields. 544allow system_server { 545 system_app_data_file 546 bluetooth_data_file 547 nfc_data_file 548 radio_data_file 549 shell_data_file 550 app_data_file 551 privapp_data_file 552}:file { getattr read write append map }; 553 554# Access to /data/media for measuring disk usage. 555allow system_server media_rw_data_file:dir { search getattr open read }; 556 557# Receive and use open /data/media files passed over binder IPC. 558# Also used for measuring disk usage. 559allow system_server media_rw_data_file:file { getattr read write append }; 560 561# System server needs to setfscreate to packages_list_file when writing 562# /data/system/packages.list 563allow system_server system_server:process setfscreate; 564 565# Relabel apk files. 566allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 567allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 568 569# Relabel wallpaper. 570allow system_server system_data_file:file relabelfrom; 571allow system_server wallpaper_file:file relabelto; 572allow system_server wallpaper_file:file { rw_file_perms rename unlink }; 573 574# Backup of wallpaper imagery uses temporary hard links to avoid data churn 575allow system_server { system_data_file wallpaper_file }:file link; 576 577# ShortcutManager icons 578allow system_server system_data_file:dir relabelfrom; 579allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto }; 580allow system_server shortcut_manager_icons:file create_file_perms; 581 582# Manage ringtones. 583allow system_server ringtone_file:dir { create_dir_perms relabelto }; 584allow system_server ringtone_file:file create_file_perms; 585 586# Relabel icon file. 587allow system_server icon_file:file relabelto; 588allow system_server icon_file:file { rw_file_perms unlink }; 589 590# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? 591allow system_server system_data_file:dir relabelfrom; 592 593# server_configurable_flags_data_file is used for storing server configurable flags which 594# have been reset during current booting. system_server needs to read the data to perform related 595# disaster recovery actions. 596allow system_server server_configurable_flags_data_file:dir r_dir_perms; 597allow system_server server_configurable_flags_data_file:file r_file_perms; 598 599# Property Service write 600set_prop(system_server, system_prop) 601set_prop(system_server, exported_system_prop) 602set_prop(system_server, exported2_system_prop) 603set_prop(system_server, exported3_system_prop) 604set_prop(system_server, safemode_prop) 605set_prop(system_server, theme_prop) 606set_prop(system_server, dhcp_prop) 607set_prop(system_server, net_radio_prop) 608set_prop(system_server, net_dns_prop) 609set_prop(system_server, system_radio_prop) 610set_prop(system_server, exported_system_radio_prop) 611set_prop(system_server, debug_prop) 612set_prop(system_server, powerctl_prop) 613set_prop(system_server, fingerprint_prop) 614set_prop(system_server, exported_fingerprint_prop) 615set_prop(system_server, device_logging_prop) 616set_prop(system_server, dumpstate_options_prop) 617set_prop(system_server, overlay_prop) 618set_prop(system_server, exported_overlay_prop) 619set_prop(system_server, pm_prop) 620set_prop(system_server, exported_pm_prop) 621set_prop(system_server, socket_hook_prop) 622set_prop(system_server, audio_prop) 623userdebug_or_eng(`set_prop(system_server, wifi_log_prop)') 624 625# ctl interface 626set_prop(system_server, ctl_default_prop) 627set_prop(system_server, ctl_bugreport_prop) 628set_prop(system_server, ctl_gsid_prop) 629 630# cppreopt property 631set_prop(system_server, cppreopt_prop) 632 633# server configurable flags properties 634set_prop(system_server, device_config_input_native_boot_prop) 635set_prop(system_server, device_config_netd_native_prop) 636set_prop(system_server, device_config_activity_manager_native_boot_prop) 637set_prop(system_server, device_config_runtime_native_boot_prop) 638set_prop(system_server, device_config_runtime_native_prop) 639set_prop(system_server, device_config_media_native_prop) 640set_prop(system_server, device_config_storage_native_boot_prop) 641set_prop(system_server, device_config_sys_traced_prop) 642set_prop(system_server, device_config_window_manager_native_boot_prop) 643set_prop(system_server, device_config_configuration_prop) 644 645# BootReceiver to read ro.boot.bootreason 646get_prop(system_server, bootloader_boot_reason_prop) 647# PowerManager to read sys.boot.reason 648get_prop(system_server, system_boot_reason_prop) 649 650# Collect metrics on boot time created by init 651get_prop(system_server, boottime_prop) 652 653# Read device's serial number from system properties 654get_prop(system_server, serialno_prop) 655 656# Read/write the property which keeps track of whether this is the first start of system_server 657set_prop(system_server, firstboot_prop) 658 659# Audio service in system server can read exported audio properties, 660# such as camera shutter enforcement 661get_prop(system_server, exported_audio_prop) 662 663# system server reads this property to keep track of whether server configurable flags have been 664# reset during current boot. 665get_prop(system_server, device_config_reset_performed_prop) 666 667# Read/write the property that enables Test Harness Mode 668set_prop(system_server, test_harness_prop) 669 670# Read gsid.image_running. 671get_prop(system_server, gsid_prop) 672 673# Read the property that mocks an OTA 674get_prop(system_server, mock_ota_prop) 675 676# Read the property as feature flag for protecting apks with fs-verity. 677get_prop(system_server, apk_verity_prop) 678 679# Read wifi.interface 680get_prop(system_server, wifi_prop) 681 682# Read the vendor property that indicates if Incremental features is enabled 683get_prop(system_server, incremental_prop) 684 685# Create a socket for connections from debuggerd. 686allow system_server system_ndebug_socket:sock_file create_file_perms; 687 688# Create a socket for connections from zygotes. 689allow system_server system_unsolzygote_socket:sock_file create_file_perms; 690 691# Manage cache files. 692allow system_server cache_file:lnk_file r_file_perms; 693allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; 694allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; 695allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; 696 697allow system_server system_file:dir r_dir_perms; 698allow system_server system_file:lnk_file r_file_perms; 699 700# ART locks profile files. 701allow system_server system_file:file lock; 702 703# LocationManager(e.g, GPS) needs to read and write 704# to uart driver and ctrl proc entry 705allow system_server gps_control:file rw_file_perms; 706 707# Allow system_server to use app-created sockets and pipes. 708allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 709allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; 710 711# BackupManagerService needs to manipulate backup data files 712allow system_server cache_backup_file:dir rw_dir_perms; 713allow system_server cache_backup_file:file create_file_perms; 714# LocalTransport works inside /cache/backup 715allow system_server cache_private_backup_file:dir create_dir_perms; 716allow system_server cache_private_backup_file:file create_file_perms; 717 718# Allow system to talk to usb device 719allow system_server usb_device:chr_file rw_file_perms; 720allow system_server usb_device:dir r_dir_perms; 721 722# Read from HW RNG (needed by EntropyMixer). 723allow system_server hw_random_device:chr_file r_file_perms; 724 725# Read and delete files under /dev/fscklogs. 726r_dir_file(system_server, fscklogs) 727allow system_server fscklogs:dir { write remove_name }; 728allow system_server fscklogs:file unlink; 729 730# logd access, system_server inherit logd write socket 731# (urge is to deprecate this long term) 732allow system_server zygote:unix_dgram_socket write; 733 734# Read from log daemon. 735read_logd(system_server) 736read_runtime_log_tags(system_server) 737 738# Be consistent with DAC permissions. Allow system_server to write to 739# /sys/module/lowmemorykiller/parameters/adj 740# /sys/module/lowmemorykiller/parameters/minfree 741allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 742 743# Read /sys/fs/pstore/console-ramoops 744# Don't worry about overly broad permissions for now, as there's 745# only one file in /sys/fs/pstore 746allow system_server pstorefs:dir r_dir_perms; 747allow system_server pstorefs:file r_file_perms; 748 749# /sys access 750allow system_server sysfs_zram:dir search; 751allow system_server sysfs_zram:file rw_file_perms; 752 753add_service(system_server, system_server_service); 754allow system_server audioserver_service:service_manager find; 755allow system_server batteryproperties_service:service_manager find; 756allow system_server cameraserver_service:service_manager find; 757allow system_server dataloader_manager_service:service_manager find; 758allow system_server dnsresolver_service:service_manager find; 759allow system_server drmserver_service:service_manager find; 760allow system_server dumpstate_service:service_manager find; 761allow system_server fingerprintd_service:service_manager find; 762allow system_server gatekeeper_service:service_manager find; 763allow system_server gpu_service:service_manager find; 764allow system_server gsi_service:service_manager find; 765allow system_server hal_fingerprint_service:service_manager find; 766allow system_server idmap_service:service_manager find; 767allow system_server incident_service:service_manager find; 768allow system_server incremental_service:service_manager find; 769allow system_server installd_service:service_manager find; 770allow system_server iorapd_service:service_manager find; 771allow system_server keystore_service:service_manager find; 772allow system_server mediaserver_service:service_manager find; 773allow system_server mediametrics_service:service_manager find; 774allow system_server mediaextractor_service:service_manager find; 775allow system_server mediadrmserver_service:service_manager find; 776allow system_server netd_service:service_manager find; 777allow system_server nfc_service:service_manager find; 778allow system_server radio_service:service_manager find; 779allow system_server stats_service:service_manager find; 780allow system_server storaged_service:service_manager find; 781allow system_server surfaceflinger_service:service_manager find; 782allow system_server update_engine_service:service_manager find; 783allow system_server vold_service:service_manager find; 784allow system_server wifinl80211_service:service_manager find; 785 786add_service(system_server, batteryproperties_service) 787 788allow system_server keystore:keystore_key { 789 get_state 790 get 791 insert 792 delete 793 exist 794 list 795 reset 796 password 797 lock 798 unlock 799 is_empty 800 sign 801 verify 802 grant 803 duplicate 804 clear_uid 805 add_auth 806 user_changed 807}; 808 809# Allow system server to search and write to the persistent factory reset 810# protection partition. This block device does not get wiped in a factory reset. 811allow system_server block_device:dir search; 812allow system_server frp_block_device:blk_file rw_file_perms; 813allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD }; 814 815# Clean up old cgroups 816allow system_server cgroup:dir { remove_name rmdir }; 817 818# /oem access 819r_dir_file(system_server, oemfs) 820 821# Allow resolving per-user storage symlinks 822allow system_server { mnt_user_file storage_file }:dir { getattr search }; 823allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; 824 825# Allow statfs() on storage devices, which happens fast enough that 826# we shouldn't be killed during unsafe removal 827allow system_server sdcard_type:dir { getattr search }; 828 829# Traverse into expanded storage 830allow system_server mnt_expand_file:dir r_dir_perms; 831 832# Allow system process to relabel the fingerprint directory after mkdir 833# and delete the directory and files when no longer needed 834allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; 835allow system_server fingerprintd_data_file:file { getattr unlink }; 836 837userdebug_or_eng(` 838 # Allow system server to create and write method traces in /data/misc/trace. 839 allow system_server method_trace_data_file:dir w_dir_perms; 840 allow system_server method_trace_data_file:file { create w_file_perms }; 841 842 # Allow system server to read dmesg 843 allow system_server kernel:system syslog_read; 844 845 # Allow writing and removing window traces in /data/misc/wmtrace. 846 allow system_server wm_trace_data_file:dir rw_dir_perms; 847 allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms }; 848') 849 850# For AppFuse. 851allow system_server vold:fd use; 852allow system_server fuse_device:chr_file { read write ioctl getattr }; 853allow system_server app_fuse_file:file { read write getattr }; 854 855# For configuring sdcardfs 856allow system_server configfs:dir { create_dir_perms }; 857allow system_server configfs:file { getattr open create unlink write }; 858 859# Connect to adbd and use a socket transferred from it. 860# Used for e.g. jdwp. 861allow system_server adbd:unix_stream_socket connectto; 862allow system_server adbd:fd use; 863allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; 864 865# Read service.adb.tls.port, persist.adb.wifi. properties 866get_prop(system_server, adbd_prop) 867 868# Set persist.adb.tls_server.enable property 869set_prop(system_server, system_adbd_prop) 870 871# Allow invoking tools like "timeout" 872allow system_server toolbox_exec:file rx_file_perms; 873 874# Allow system process to setup and measure fs-verity 875allowxperm system_server apk_data_file:file ioctl { 876 FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY 877}; 878 879# Postinstall 880# 881# For OTA dexopt, allow calls coming from postinstall. 882binder_call(system_server, postinstall) 883 884allow system_server postinstall:fifo_file write; 885allow system_server update_engine:fd use; 886allow system_server update_engine:fifo_file write; 887 888# Access to /data/preloads 889allow system_server preloads_data_file:file { r_file_perms unlink }; 890allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; 891allow system_server preloads_media_file:file { r_file_perms unlink }; 892allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; 893 894r_dir_file(system_server, cgroup) 895allow system_server ion_device:chr_file r_file_perms; 896 897r_dir_file(system_server, proc_asound) 898r_dir_file(system_server, proc_net_type) 899r_dir_file(system_server, proc_qtaguid_stat) 900allow system_server { 901 proc_cmdline 902 proc_loadavg 903 proc_meminfo 904 proc_pagetypeinfo 905 proc_pipe_conf 906 proc_stat 907 proc_uid_cputime_showstat 908 proc_uid_io_stats 909 proc_uid_time_in_state 910 proc_uid_concurrent_active_time 911 proc_uid_concurrent_policy_time 912 proc_version 913 proc_vmallocinfo 914}:file r_file_perms; 915 916allow system_server proc_uid_time_in_state:dir r_dir_perms; 917allow system_server proc_uid_cpupower:file r_file_perms; 918 919r_dir_file(system_server, rootfs) 920 921# Allow WifiService to start, stop, and read wifi-specific trace events. 922allow system_server debugfs_tracing_instances:dir search; 923allow system_server debugfs_wifi_tracing:dir search; 924allow system_server debugfs_wifi_tracing:file rw_file_perms; 925 926# Allow system_server to read tracepoint ids in order to attach BPF programs to them. 927allow system_server debugfs_tracing:file r_file_perms; 928 929# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run 930# asanwrapper. 931with_asan(` 932 allow system_server shell_exec:file rx_file_perms; 933 allow system_server asanwrapper_exec:file rx_file_perms; 934 allow system_server zygote_exec:file rx_file_perms; 935') 936 937# allow system_server to read the eBPF maps that stores the traffic stats information and update 938# the map after snapshot is recorded, and to read, update and run the maps and programs used for 939# time in state accounting 940allow system_server fs_bpf:dir search; 941allow system_server fs_bpf:file { read write }; 942allow system_server bpfloader:bpf { map_read map_write prog_run }; 943 944# ART Profiles. 945# Allow system_server to open profile snapshots for read. 946# System server never reads the actual content. It passes the descriptor to 947# to privileged apps which acquire the permissions to inspect the profiles. 948allow system_server user_profile_data_file:dir { getattr search }; 949allow system_server user_profile_data_file:file { getattr open read }; 950 951# System server may dump profile data for debuggable apps in the /data/misc/profman. 952# As such it needs to be able create files but it should never read from them. 953allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms}; 954allow system_server profman_dump_data_file:dir w_dir_perms; 955 956# On userdebug build we may profile system server. Allow it to write and create its own profile. 957userdebug_or_eng(` 958 allow system_server user_profile_data_file:file create_file_perms; 959') 960# Allow system server to load JVMTI agents under control of a property. 961get_prop(system_server,system_jvmti_agent_prop) 962 963# UsbDeviceManager uses /dev/usb-ffs 964allow system_server functionfs:dir search; 965allow system_server functionfs:file rw_file_perms; 966 967# system_server contains time / time zone detection logic so reads the associated properties. 968get_prop(system_server, time_prop) 969 970# system_server reads this property to know it should expect the lmkd sends notification to it 971# on low memory kills. 972get_prop(system_server, system_lmk_prop) 973 974### 975### Neverallow rules 976### 977### system_server should NEVER do any of this 978 979# Do not allow opening files from external storage as unsafe ejection 980# could cause the kernel to kill the system_server. 981neverallow system_server sdcard_type:dir { open read write }; 982neverallow system_server sdcard_type:file rw_file_perms; 983 984# system server should never be operating on zygote spawned app data 985# files directly. Rather, they should always be passed via a 986# file descriptor. 987# Types extracted from seapp_contexts type= fields, excluding 988# those types that system_server needs to open directly. 989neverallow system_server { 990 bluetooth_data_file 991 nfc_data_file 992 shell_data_file 993 app_data_file 994 privapp_data_file 995}:file { open create unlink link }; 996 997# Forking and execing is inherently dangerous and racy. See, for 998# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them 999# Prevent the addition of new file execs to stop the problem from 1000# getting worse. b/28035297 1001neverallow system_server { 1002 file_type 1003 -toolbox_exec 1004 -logcat_exec 1005 with_asan(`-shell_exec -asanwrapper_exec -zygote_exec') 1006}:file execute_no_trans; 1007 1008# Ensure that system_server doesn't perform any domain transitions other than 1009# transitioning to the crash_dump domain when a crash occurs. 1010neverallow system_server { domain -crash_dump }:process transition; 1011neverallow system_server *:process dyntransition; 1012 1013# Only allow crash_dump to connect to system_ndebug_socket. 1014neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; 1015 1016# Only allow zygotes to connect to system_unsolzygote_socket. 1017neverallow { 1018 domain 1019 -init 1020 -system_server 1021 -zygote 1022 -app_zygote 1023 -webview_zygote 1024} system_unsolzygote_socket:sock_file { open write }; 1025 1026# Only allow init, system_server, flags_health_check to set properties for server configurable flags 1027neverallow { 1028 domain 1029 -init 1030 -system_server 1031 -flags_health_check 1032} { 1033 device_config_activity_manager_native_boot_prop 1034 device_config_input_native_boot_prop 1035 device_config_netd_native_prop 1036 device_config_runtime_native_boot_prop 1037 device_config_runtime_native_prop 1038 device_config_media_native_prop 1039 device_config_storage_native_boot_prop 1040 device_config_sys_traced_prop 1041 device_config_window_manager_native_boot_prop 1042}:property_service set; 1043 1044# system_server should never be executing dex2oat. This is either 1045# a bug (for example, bug 16317188), or represents an attempt by 1046# system server to dynamically load a dex file, something we do not 1047# want to allow. 1048neverallow system_server dex2oat_exec:file no_x_file_perms; 1049 1050# system_server should never execute or load executable shared libraries 1051# in /data. Executable files in /data are a persistence vector. 1052# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. 1053neverallow system_server data_file_type:file no_x_file_perms; 1054 1055# The only block device system_server should be accessing is 1056# the frp_block_device. This helps avoid a system_server to root 1057# escalation by writing to raw block devices. 1058neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; 1059 1060# system_server should never use JIT functionality 1061# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html 1062# in the section titled "A Short ROP Chain" for why. 1063# However, in emulator builds without OpenGL passthrough, we use software 1064# rendering via SwiftShader, which requires JIT support. These builds are 1065# never shipped to users. 1066ifelse(target_requires_insecure_execmem_for_swiftshader, `true', 1067 `allow system_server self:process execmem;', 1068 `neverallow system_server self:process execmem;') 1069neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute; 1070 1071# TODO: deal with tmpfs_domain pub/priv split properly 1072neverallow system_server system_server_tmpfs:file execute; 1073 1074# Resources handed off by system_server_startup 1075allow system_server system_server_startup:fd use; 1076allow system_server system_server_startup_tmpfs:file { read write map }; 1077allow system_server system_server_startup:unix_dgram_socket write; 1078 1079# Allow system server to communicate to apexd 1080allow system_server apex_service:service_manager find; 1081allow system_server apexd:binder call; 1082 1083# Allow system server to scan /apex for flattened APEXes 1084allow system_server apex_mnt_dir:dir r_dir_perms; 1085 1086# Allow system server to communicate to system-suspend's control interface 1087allow system_server system_suspend_control_service:service_manager find; 1088binder_call(system_server, system_suspend) 1089binder_call(system_suspend, system_server) 1090 1091# Allow system server to communicate to system-suspend's wakelock interface 1092wakelock_use(system_server) 1093 1094# Allow the system server to read files under /data/apex. The system_server 1095# needs these privileges to compare file signatures while processing installs. 1096# 1097# Only apexd is allowed to create new entries or write to any file under /data/apex. 1098allow system_server apex_data_file:dir { getattr search }; 1099allow system_server apex_data_file:file r_file_perms; 1100 1101# Allow the system server to read files under /vendor/apex. This is where 1102# vendor APEX packages might be installed and system_server needs to parse 1103# these packages to inspect the signatures and other metadata. 1104allow system_server vendor_apex_file:dir { getattr search }; 1105allow system_server vendor_apex_file:file r_file_perms; 1106 1107# Allow the system server to manage relevant apex module data files. 1108allow system_server apex_module_data_file:dir { getattr search }; 1109allow system_server apex_permission_data_file:dir create_dir_perms; 1110allow system_server apex_permission_data_file:file create_file_perms; 1111allow system_server apex_wifi_data_file:dir create_dir_perms; 1112allow system_server apex_wifi_data_file:file create_file_perms; 1113 1114# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can 1115# communicate which slots are available for use. 1116allow system_server metadata_file:dir search; 1117allow system_server password_slot_metadata_file:dir rw_dir_perms; 1118allow system_server password_slot_metadata_file:file create_file_perms; 1119 1120# Allow system server rw access to files in /metadata/staged-install folder 1121allow system_server staged_install_file:dir rw_dir_perms; 1122allow system_server staged_install_file:file create_file_perms; 1123 1124# Allow init to set sysprop used to compute stats about userspace reboot. 1125set_prop(system_server, userspace_reboot_log_prop) 1126 1127# JVMTI agent settings are only readable from the system server. 1128neverallow { 1129 domain 1130 -system_server 1131 -dumpstate 1132 -init 1133 -vendor_init 1134} { 1135 system_jvmti_agent_prop 1136}:file no_rw_file_perms; 1137 1138# Read/Write /proc/pressure/memory 1139allow system_server proc_pressure_mem:file rw_file_perms; 1140 1141# dexoptanalyzer is currently used only for secondary dex files which 1142# system_server should never access. 1143neverallow system_server dexoptanalyzer_exec:file no_x_file_perms; 1144 1145# No ptracing others 1146neverallow system_server { domain -system_server }:process ptrace; 1147 1148# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID 1149# file read access. However, that is now unnecessary (b/34951864) 1150neverallow system_server system_server:global_capability_class_set sys_resource; 1151 1152# Only system_server/init should access /metadata/password_slots. 1153neverallow { domain -init -system_server } password_slot_metadata_file:dir *; 1154neverallow { 1155 domain 1156 -init 1157 -system_server 1158} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr }; 1159neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *; 1160 1161# Allow systemserver to read/write the invalidation property 1162set_prop(system_server, binder_cache_system_server_prop) 1163neverallow { domain -system_server -init } 1164 binder_cache_system_server_prop:property_service set; 1165 1166# Allow system server to attach BPF programs to tracepoints. Deny read permission so that 1167# system_server cannot use this access to read perf event data like process stacks. 1168allow system_server self:perf_event { open write cpu kernel }; 1169neverallow system_server self:perf_event ~{ open write cpu kernel }; 1170 1171# Do not allow any domain other than init or system server to set the property 1172neverallow { domain -init -system_server } socket_hook_prop:property_service set; 1173